[yongjik]

We can say the same thing about maintainers of PyPI. They host your libraries and serve it to anyone who wants, free of charge. The only thing they ask in return is to maintain a minimum level of security so that they have less headache in the future.

I think they also deserve some respect.

[krasin]

Yep. Both parties here are within their rights. It's the HN comment about entitlement of the maintainer that I was responding to.

[Wowfunhappy]

I think both parties are within their rights, but I also think this is a stupid move on PyPI's part. Maintainers are already working for free; start making them jump through hoops and some will decide it's all too much work and leave.

I think it would be much better to throw up a warning (potentially a loud one) when a dependency is maintained by someone without 2FA.

[tsimionescu]

Packages being taken over because of stolen credentials creates a maintenance nightmare, and bad publicity, for PyPI itself. As such, they have every right, and a reasonable need, to require 2FA. In contrast, the maintainers of PyPI don't lose too much if a few projects choose not to use the platform anymore. Remember, you're not paying PyPI anything either, so the fact that it may inconvenience your own projects, whether free or proprietary, is not their problem.